Update: It’s Time To Stop Ransomware Shaming!

Shaming victims of ransomware overlooks the many factors that contribute to successful ransomware attacks.

In-brief: It’s time to stop the ransomware shaming. The truth is that successful ransomware infections are children with many fathers – from lax security practices to vulnerable software. Update: added comment from Dodi Glenn of PC Pitstop. PFR 2/21/2015.

Hollywood Presbyterian Medical Center in Los Angeles acknowledged this week that it ended a days-long attack that locked hospital staff out of critical systems by paying 40 BitCoin, worth approximately $17,000, to as-yet unknown and unidentified cyber criminals.

In a letter to staff on Wednesday, Allen Stefanek, the President & CEO of Presbyterian Medical Center said that the payment was made to end a 10 day long ransomware infection that had crippled many of the hospitals patient management and diagnostic systems, including its electronic medical record (or “EMR”) system.

“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Stefanek wrote. “In the best interest of restoring normal operations, we did this.”

The news brought swift expressions of dismay from the technology community, with not a little bit of ransomware ‘shaming’ sprinkled in.

Hospitals have not been “as diligent in combating cyber threats such as ransomware as other sectors” experts were quoted saying in this Associated Press article, with one expert saying that hospitals are “about 10 to 15 years behind the banking industry” in combatting cyber threats.”

Also typical were articles like this one, at the Bitcoin news site newsbtc.com, that made the case that paying the ransom should never be necessary. Rather: falling to ransomware was evidence of a kind of technological turpitude.

“It is no secret how ransomware attacks will only occur due to a mistake by the end user,” the article reads.

The sad truth is that ransomware victims, not their attackers, are often to first to be blamed for attacks. Victims lacked adequate endpoint protection software, failed to train their users not to click on suspicious links in e-mail or social media messages, failed to implement an effective and comprehensive data backup plan, or all three.

The same was true back in October, when this publication reported on a speech by Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in the Bureau’s Boston office. Noting the impossibility of breaking strong encryption used by ransomware products and the difficulty of otherwise subverting the malicious software, Bonavolonta said that the Bureau often advises companies to “just to pay the ransom” if they want their data back.

The reaction online was disbelief and, in some cases, condemnation. An extensive discussion sprung from the article on the IT professional site Spiceworks that continues to this day, with most users critical of the FBI for “giving in to terrorism” (their term, not mine). Commenters were especially critical of the victimized organizations. A recent comment by a user AaronKent on February 19 sums up the opinions of many Spiceworks commenters:

if (sp) you get hit by ransom-ware, it’s your fault.

If you cannot recover from ransom-ware, it’s your fault.

pay the fine and learn from your mistake.

if you get hit a second time?

stop touching keyboards.

Is that fair? In some cases, yes. But it is my opinion that it is time for the ransomware shaming to stop.

The fact is that successful ransomware infections have many fathers. Many of the factors that contribute directly to ransomware infections are beyond the ability of organizations to control.

For example, a study by the firm BitDefender in 2015 found that drive by download installs via compromised web sites or malvertising are among the most common attack vectors for ransomware. Attackers use sophisticated exploit kits, such as Angler, to manage such campaigns: minutely profiling web site visitors to deliver the right attack for the right computer configuration – or no attack at all.

With such sophisticated targeting, in other words, ransomware victims may have done nothing more than visit the right website at the wrong time.

Any organization shaming a ransomware victim might consider whether it had been the victim of a non-crypto malware attack in the last 12 months and then consider how they would have fared if the deliverable had been the latest version of cryptolocker instead of a data stealing Trojan, botnet software or something else.

Consider also that organizations like hospitals are also under considerable pressure to comply with rules like the U.S. Federal health privacy law (HIPAA), which erect high barriers around patient data, but say nothing about endpoint protections or best practices to defeat malware.

True: there are simple steps that organizations can take to limit the spread of ransomware, even if they can’t stop infections. Regular daily (or semi-daily) back ups critical systems to air gapped or cloud based systems can make recovering from a ransomware infection as simple as restoring an earlier version of the infected system.

Dodi Glenn, the Vice President of Cyber Security at the firm PC Pitstop, and a board member of the Anti-Malware Testing Standards Organization (AMTSO) said that storage costs are so low that there is “really no excuse” for organizations to not take available of both on-network and off site (cloud based) backup for critical systems.

More important: limiting the access permissions of your users and pruning unnecessary permission grants to other, network systems and file shares can keep ransomware infections from spreading on your network.

But, in the end, a chain is only as strong as its weakest link, and even temporary lapses in an otherwise sound IT policy could spell disaster in the event of a ransomware infection.

Then there’s the matter of paying. The fact is that ransoms demanded by cyber criminals behind cryptolocker and other malware are usually modest. This isn’t because the cyber criminals don’t know they have IT departments by the short hairs. It’s because they have a business model that’s built on high volume, low value transactions. With so many victims, the path to riches is not to hold out for a giant reward, but to help them complete their transaction as quickly as possible and move on to the next mark. Some ransomware operations even offer chat based support for victims to facilitate rapid payment. That’s no accident. Recent stories such as this one suggest that the biggest obstacle to resolving infections, for victim organizations, is figuring out how to safely complete a Bitcoin transaction.

For stricken organizations, the math behind paying the ransomware is really pretty straight forward, as Presbyterian Medical’s CEO made clear in his letter. Yes: $17,000 is a lot to pay, but so is keeping an entire IT staff working overtime to try to break the ransomware. In fact: those overtime costs add up to a lot more than $17,000 – and fast.

In short, paying to end a ransomware attack is an admission of failure, its true. But it is also an eminently sensible decision that could save your organization time and money. Its time to stop the ransomware shaming and figure out a way to stop these attacks from happening altogether.

Still, paying the ransom is hardly the end of the story for stricken organizations. Glenn of PC Pitstop notes that falling victim to a ransomware attack is a huge signal to other would-be attackers that your organization is vulnerable, with weak information security practices and internal controls. Follow on attacks are a real danger.

But anyone shaming a ransomware victim might consider whether her own network had been the victim of a non-crypto malware attack in the last 24 months, or whether a compromise might still lurk somewhere, quietly. Then consider how her own environment would have fared if the malicious deliverable had been the late model crypto ransomware like Locky instead of a data stealing Trojan, spambot or some other, more innocuous threat.

Author: PaulI'm an experienced writer, reporter and industry analyst with a decade of experience covering IT security, cyber security and hacking, and a fascination with the fast-emerging "Internet of Things."

16 Comments

I have to disagree. There’s no reason to have the hospital critical systems on the Internet and no reason to not have a backup recovery system that obviates ransomware attacks. Bad on the Hospital, and frankly fire their board for this lapse in governance.

Finally, I have to add that if ISIS had lobbed a grenade into the Hospital, or North Korean had hit it with an ICBM there would have been a kinetic response. Until we stop pussy-footing around “investigating” cyber attacks as crimes and unleash the DOD Cyber Command and kinetic responses to cyber attacks, we aren’t doing enough to create a realistic disincentive. They didn’t stop train robberies in the 19th century by investigating them to death, they sicced the Pinkertons on the criminals.

Cyber attack ==> Kinetic response. Yikes! Obviously, the key problem with that formula is attribution. It’s pretty simple to figure out who launched a missile or who lobbed a grenade. It is much more difficult to be confident in attribution for an incident (look at the controversy around the Sony Pictures Entertainment hack). Also: equating logical attacks with physical attacks is a very dangerous precedent. I’ve covered cyber for 13 years and the notion that encrypting my files should prompt the same response as walking into the lobby and murdering people sounds…well…disproportionate and extreme.

Jeez, what the heck, IoT guy? I always thought you were sort of one of the saner people out there. Your response just threw me for a loop. Instead of arguing against it, which is my first inclination, I’d ask you instead why you think a kinetic response is at ALL appropriate.

Wow, I even side with Paul, here, at least with some of what he says. I don’t think ‘attribution’ should be the key value though.

FWIW, by your argument, Iran would have every right to lob nuclear warheads at Israel, the US, and the UK… And that’s just one example. Would they? Should they? Put another way, kinetic to kinetic, if Afghanistan was (and it was) invaded, they should be permitted to retaliate by invading the US and its allies. Just some things to consider before you advocate for kineticism — one cyber, one not. We should be striving for diplomacy, not instigating war and threatening the cracking open of the frigging earth. Why does might make right? Who says who deserves what?

What happened to the court system and, you know, due process (regardless of who or where it is)?

Sigh.

Maybe you’re having a bad day.

I’d say it’s ESPECIALLY overkill when you’re saying this when it comes to Ransomware (and I’m not a fan).

Was in London at a large hospital there, in capacity as Endpoint AV consultant. They had 1000s of machines that included OS embedded into proprietary devices. They couldn’t upgrade either their OS nor even its Service Pack (was XP-SP1 or something), because the devices would go into BSOD. Therefore, they had hundreds of infected machines, all with ancient malware that had long been coded in to every AV signature out there – again, updates were put off owing to older OS, etc. A complete horror to manage – even with a roomful of people monitoring progress and updates.

In short, hospitals have lots of IOT-style devices (or proto-IOT, as this was 8 years ago) that relate to bedside monitors and even emergency kit. And there’s always some dual-horned machine somewhere in the basement, with an internet-facing NIC that allows malware a window in.

Backups would be the best way to circumvent ransomware – but I suspect there would still be issues unless their IT departments were dedicated to isolating all the life-threatening critical systems from those in use by the majority of staff. Seems simple enough, but until their execs are forced to understand the problem (e.g., $17K worth of understanding), they will never approve the budgets required to make the necessary changes.